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METHOD FOR SWITCHING OVER BETWEEN AT LEAST TWO OPERATING MODES 
OF A PROCESSOR UNIT, AS WELL AS CORRESPONDING PROCESSOR UNIT 

Background Information 

The present invention relates to a method for switching over 
between at least two operating modes of a processor unit, as 
well as a corresponding processor having at least two 
5 integrated execution units, according to the definition of the 
species in the independent claims. 

Such processing units having at least two integrated execution 
units are also known as dual core architectures or multi-core 
architectures. Such dual core architectures or multi-core 
10 architectures are provided mainly for two reasons, according 
to today's related art: 

For one thing, one is able to achieve a performance 
improvement using them, by regarding and treating the 
execution units or cores as two computing units on a 
15 semiconductor device. In this configuration, the two execution 
units or cores process different programs with respect to 
tasks. An increased performance may be achieved thereby, which 
is why these configurations are designated as performance 
mode . 

20 The second reason for implementing a dual core architecture or 
multi-core architecture is an increase in security, in that 
the two execution units redundantly process the same program. 
The results of the two execution units, or CPU's, that is, 
cores, are compared and an error may be detected in response 

25 to the comparison for agreement. In the following, this 
configuration is designated as safety mode. 
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In general, the two configurations named are exclusively 
included in the dual architecture or mult i -core architecture, 
that is, the computer having the at least two execution units 
is, in principle, only operated in one mode, the performance 
5 mode or the safety mode . 

It is the object of the present invention to make possible a 
combined operation of such a dual processor unit or multi-core 
processor unit with respect to at least two operating types, 
and thereby to achieve an optimized switchover strategy, 
10 especially between a safety mode for increased safety and a 
performance mode for increased performance . 

Summary of the Invention 

For safety reasons, on the one hand a redundant execution of 
the program with respect to tasks is desired, and for reasons 

15 of cost, on the other hand, keeping available redundant 

hardware during execution of the non- safety-critical functions 
is not worth striving for. According to the present invention, 
this conflict of aims is solved by an optimized switchover 
between at least two operating modes and one processing unit. 

2 0 Thus, the present invention relates to a method for switching 
over between at least two operating modes of a processing unit 
having at least two execution units, as well as a processor 
unit . 

Advantageously, the switchover from a first to a second 
2 5 operating mode is implemented in that one may take the 

opportunity of using a predefined memory address acting as 
switchover trigger, that is, hardware components are 
introduced such as switchover means (mode selector) or means 
of comparison and a corresponding method, as to how, in 
30 operation between safety-critical programs, which are thus 
executed redundantly in the safety mode and non- safety- 
critical programs which are executed in performance mode 
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independently of one another on both execution units, one may 
optimally switch over. 

In this context, the same programs are processed synchronously 
in the first operating mode by the at least two execution 
5 units, and are checked by provided means of comparison to make 
sure that the statuses of the execution units, created during 
the processing of the same programs, agree with one another. 
In cases of deviations in this regard, it is then conceivable 
to have various error reactions, from an error display, via an 
10 emergency operation all the way to switching off the faulty 
unit . 

In one special specific embodiment, the safety mode 
corresponds to the first operating mode and the performance 
mode corresponds to the second operating mode. A switchover 

15 from the second operating mode to the first operating mode 

expediently takes place, in this context, by an interruption 
request, in particular triggered by a means of interruption, 
the interruption request being able to be triggered, on the 
one hand, by a time condition or also by a status condition, 

2 0 that is, it corresponds to a certain status of at least one of 
the two execution units or to the occurrence of a certain 
event . 

Advantageously, a special subdivision takes place in at least 
three separate memory regions, the execution units having 

25 access to a first memory region or a second memory region, 

depending on the respective operating mode, or more precisely, 
are connected to it. In this context, in an expedient manner 
in one special embodiment, to each of the at least two 
execution units there is assigned a first memory region on the 

30 processor unit, to which they are connected in the first 
operating mode, i.e. especially the safety mode, or have 
access to it. In the second operating mode, both execution 
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units have access to only a second memory region that is 
assigned to both execution units, or are connected to it. 

Now, monitoring means, especially the switchover means 
themselves, are expediently provided in such a way that, in 
5 the respective operating mode, access is made only to the 

corresponding memory regions or the corresponding connection 
to the memory regions exists. This means that, in the second 
operating mode, the evaluation means access only the second 
memory region and not the first memory regions, and in the 

10 first operating mode, the access takes place only to the 

respective first memory regions and not to the second memory 
region, which is checked by the aforementioned evaluation 
means, and is sanctioned in possibly corresponding error 
reactions, such as an error report, emergency operation or 

15 switching off. 

In this context, each of the three memory regions mentioned, 
that is, the at least two first memory regions as well as the 
second memory region are provided in a separate memory module, 
so that at least three memory modules are available on the 

20 processor unit. Expediently, the safety-critical programs in 

this context are stored respectively in a first memory region, 
and the programs that are not critical to safety are stored in 
the second memory region, expediently the predefined memory 
address, that has the trigger function named with respect to 

25 the switchover, is included in the second memory region. 

A second advantage comes about if, for the comparison of the 
statuses of the execution units in the first operating mode, 
explicit means of comparison are provided on the processor 
unit, and these means of comparison . only function in the first 
30 operating mode, and are put out of function in response to 
transition into the second operating mode, so that in an 
operation that is non-redundant and is not critical to safety, 



NY01 1073057 vl 



4 



no comparison takes place, and with that, no error reaction 
that might be provoked under the circumstances. 

Additional advantages and advantageous embodiments are given 
by the features of the claims, as well as the contents of the 
specification and the drawings. 

Brief Description of the Drawing 

The present invention is explained in greater detail with 
reference to the exemplary embodiments shown in the drawings. 
The figures show: 

Figure 1 a processor unit according to the present 

invention, having at least two execution units 
and the hardware components according to the 
present invention. 

Figure 2 describes a switchover from the safety mode to 

the performance mode, whereas 

Figure 3 shows a switchover from performance mode to 

safety mode. 

Description of the Exemplary Embodiments 

In control applications, especially in the field of motor 
vehicle control such as engine control, brake control or 
steering and transmissions, etc., but also in industrial 
applications such as automation or in the field of machine 
tools, there are generally software tasks or programs which 
require a redundant execution for safety reasons, in order to 
detect the occurrence of errors. However, such applications 
that are critical to safety, besides these programs critical 
to safety, also have software components or programs which may 
even be faulty, since they are not necessary for bringing 
about the function itself that is critical to safety or being 
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occupied with that, but rather produce only an additional 
function, especially a convenience function. A redundant 
execution is desirable for safety reasons, but for reasons of 
cost, keeping available redundant hardware is not worth 
5 striving for. This way of looking at the problem is solved, 
according to the present invention, by the optimized 
switchover between at least two operating modes of the 
processor unit, as has already been described in the 
advantages and subsequently in more detail. 

10 Thus, in the following, the use of the present invention in a 
system critical to safety is shown, for instance, a system 
immanent in a vehicle, such as the brakes, steering, 
transmission or engine. The processor unit of the system, 
according to the present invention, is made up in this case of 

15 a dual core architecture corresponding to Figure 1, that is, a 
processor unit 100 having at least two execution units 101 and 
102 (CPU1 and CPU2) . In this example, in each case a working 
memory 110 or 111, also designated as RAMI and RAM2 , is 
assigned respectively to the two execution units 101, 102, 

20 that is, CPU1 and CPU2 . 

Both execution units 101 and 102 are connected to a means of 
comparison, a comparator 170. Each execution unit also has a 
connection to a means of switching over, a mode selector 130 
and 131, to which the comparison element, means of comparison 
25 170 also has connections. The respective volatile working 
memory 110 and 111 and switchover means 13 0 and 131 are in 
each case connected via a bus 140 and 141, respectively, to a 
first storage means 150 or 151, respectively, and a second 
storage means 180. 

30 

In this exemplary embodiment, two operating systems are used, 
one for the safety-critical programs or tasks and one for the 
non-safety-critical programs or tasks. OSEKtime OS is used, 
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for instance, as *the operating system for the safety-critical 
programs, and OSEK OS is used, for instance, as the operating 
system for the non-safety-critical tasks. 

5 As was already mentioned, the application software is 

subdivided into safety-critical programs and non-safety- 
critical programs. All programs or tasks that are not 
classified as safety-critical are allowed to fail, to be 
executed in a faulty manner or not to be executed at all. A 

10 danger to the overall system or the environment is not 

possible, thereby. The safe operation of the overall system is 
only made possible by the programs or tasks that are 
classified as safety-critical. To be sure, the possibility 
exists that the operation, to the extent that it is only 

15 carried out by the safety-critical tasks or programs, leads to 
a quality loss of the overall function, which was classified, 
however, as being tolerable within predefinable tolerances. 

The safety-relevant, that is, the safety-critical tasks or 
20 programs are executed redundantly on both execution units 101 
and 102, that is, both CPU's CPU1 and CPU2 . In this context, 
these programs are processed under the control of the first 
operating system, in this case OSEKtime OS. To do this, 
nonvolatile memory region 150 and 151, respectively, is 
2 5 doubled to form two parts, so that two first memory regions 

150 and 151 are present, corresponding to two execution units. 
In these first memory regions the safety-critical programs or 
tasks exist doubled, that is, redundant. This means that each 
of the safety-critical tasks is localized, first of all, in 
30 memory region 150, and secondly in memory region 151. In this 
context, in particular, the first operating system itself may 
be classified as safety-critical, and is consequently also 
stored in both memory regions. This means, in our example, 
that operating system OSEKtime OS is stored first of all in 
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memory regio'n 150 and secondly in memory region 151, 
respectively. In this context, in one special embodiment, the 
two first memory regions are designed respectively, as their 
own nonvolatile storage module ROM1 AND ROM2 , which are able 
5 to be designed as a ROM, PROM, EPROM, EEPROM, flash EEPROM, 
etc . 

In this context, a double storing of the safety-critical 
programs or tasks is not absolutely necessary. They may be 

10 protected also by using an ECC code (error code and 

correction) . Such methods for error detection in a memory are 
manifold, the base assumption being the protection by an error 
detection code or an error correction code, that is, a 
signature. In the simplest case, this signature may be made up 

15 of only one signature bit, such as a parity bit. On the other 
hand, the protection may also be implemented by complex ED 
codes (error detection) such as a Berger code or a Bose-Lin 
code, etc., or also by a more complex ECC code, such as, for 
instance, a Hamming code, etc., in order to make possible a 

2 0 safe error detection by an appropriate bit number. However, as 

code generator, for instance, a generator table (hardwired or 
in software) may also be used, in order to assign to certain 
input patterns of the bits a desired code pattern of any 
desired length within the scope of the address. The data 
25 safety in the memory is able to be ensured by this, especially 
by the correction function, and duplicate storage may be 
avoided. Nevertheless, a redundant processing of the safety- 
critical programs in the two execution units takes place, 
whereby errors are uncovered in the cores, that is, the 

3 0 execution units, by comparison for agreement, according to the 

present invention, only one first memory region being required 
for this case of the present invention, in contrast to Figure 
1 . 
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In order to 'increase performance, the programs or tasks that 
are not safety-relevant or safety-critical are computed on 
both execution units, that is, CPU-distributed, and executed 
under the control of the respective suboperating system, which 
5 in this case is the OSEK subsystem. Consequently, on both of 
the two execution units there runs particularly an independent 
operating system, in this case an independent OSEK system. 
Second memory region 180, in which the non-safety-critical 
programs or tasks are located, is present in single form. It 
10 is used by both execution units 101 and 102, or rather, it is 
accessed by both. In a special specific embodiment, this 
second memory region, too, may be designed as an independent 
nonvolatile memory element ROM3 , and realized as a ROM, PROM, 
EPROM, EE PROM, flash EPROM, etc. 

15 

In this context, the memory regions, that is, the first and 
second memory regions, may be designed in such a way that the 
first memory regions or the first memory region, respectively, 
(in the case of an ECC protection) is designed, for example, 

2 0 to lie between 0 and X with respect to the addresses, and the 
second memory region between X+l and Y, also with respect to 
the addresses. In addition, a doubled first memory region is 
assumed, also only one single first protected memory region 
being able to be used, as was explained before. Then, as 

25 mentioned before, the first memory region from 0 to X is 

present in doubled form, precisely in one first memory region, 
respectively. In this context, each first memory region is 
specifically assigned to one execution unit. 

30 In the first operating mode, in this case, for example, the 
safety mode, the safety-critical programs or tasks run 
redundantly and especially synchronously, on both execution 
units, that is, on both CPU 101 and 102. In the means of 
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comparison, "comparator 170, the respective CPU statuses are 
compared to each other. In this context, certain statuses are 
able to be assigned to certain program phases, which can then 
be compared at any point in time that is not critical with 
5 respect to time, provided they are stored temporarily and are 
uniquely assignable by an identification character. However, 
in the preferred case, the safety-critical programs, or rather 
tasks are not only processed redundantly, but synchronously, 
so that a comparison of the respective statuses of the 

10 execution units may be performed immediately, during the 
operation. The new commands and/or data are then 
correspondingly loaded from the respectively assigned first 
memory region 150 or 151 respectively, and are processed. The 
CPU statuses are checked for agreement, an error being 

15 detected if there is a deviation in the statuses that should 

correspond. As the error reaction, it is first of all possible 
to have an error indication with respect to the respective 
system in which the processor unit is installed, and secondly, 
error reactions such as an emergency operation, that is, 

2 0 operating the system in which the processor unit is contained 

in a protected emergency operation, for instance, using extra 
programs and/or data provided for this purpose. In this 
context, even in the case of a continuing error evaluation, 
such as an n of m test, where n and m are natural numbers, and 
25 n > 2, as well as M > n > m/2, or even as a 1 of k code, where 
k is a natural number > 1. Using such a test, if, for example, 
one execution unit is clearly detected as being faulty, as a 
further error reaction switching off this execution unit can 
be carried out, and an emergency operation of the remaining 

3 0 unit or a switchover of the faulty execution unit into 

emergency operation . 

In the safety mode or, more generally, the first operating 
mode, access of the execution units is admissible only to 
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addresses or data in the first memory regions. This means that 
the respective execution unit, in the first operating mode, is 
permitted to access only the first memory region, especially 
the one that is assigned to it. This is checked by monitoring 
5 means, especially the switchover means or mode selectors 130 
or 131, or rather the switchover means in mode selectors 13 0 
and 131. If errors occur in this connection, a comparable 
error reaction, as described above, with respect to a 
comparison error in response to agreement of the CPU statuses 

10 is conceivable and providable. However, this also means that 
the switchover means, in this case mode selectors 130 or 131, 
produce a connection to the respectively assigned first memory 
region 150 or 151 via bus 140 or 141 for this case of the 
first operating mode, or rather monitor a corresponding access 

15 infringement. 

In the second operating mode of this exemplary embodiment, the 
non-safety-critical programs or tasks are processed. Various 
non-safety-critical programs run on both execution units, that 
is, CPU's 1 and 2 (101, 102). Among these are, for example, 

20 even the operating system itself for the second operating 

mode, namely the OSEK subsystems. The two execution units of 
CPU's share therewith a nonvolatile second memory region, 
which may be designed as described above. However, its own 
volatile working memory region RAMI and RAM2 , 110 or 111, is 

25 assigned to each CPU. Since such corresponding non-safety- 
critical programs are not, or not all executed in duplicate, 
there exists, at least theoretically, the possibility that the 
execution units block each other by waiting for the release of 
a resource. One may counter this by a suitable distribution of 

3 0 the tasks or programs, for instance according to scheduling on 
execution units 101 and 102. In this context, additional 
measures are also possible, such as alternating access or a 
prioritized access as a function of the respective program, 
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etc. In this second operating mode, no access to an address in 
the first memory region is admissible to the performance mode 
according to our exemplary embodiment. 

Here too, the monitoring is done by monitoring means, 
5 especially by the switchover means, the mode selectors, or 
perhaps the monitoring means are designed separately in the 
mode selectors. In a detected erroneous access in the second 
operating mode, here too, an appropriate error reaction can be 
initiated. In this context, first of all, an error reaction 

10 corresponding to the first operating mode is conceivable and 
specifiable. This is especially meaningful in that, in a 
faulty access, access might indeed be made, under certain 
circumstances, to safety- critical memory regions. On the one 
hand, this may be implemented in that a connection to the 

15 second memory region is established only in the second 

operating mode, and the connection to the first memory regions 
is capped in this operating mode, or access to the first 
memory region is prevented in another way, and is permitted 
only to the second memory region. 

2 0 The switchover between the operating modes will now be 

described again in detail in Figures 2 and 3 . 

From the first operating mode, that is, in this case the 
safety mode, in order to get into the second operating mode, 
that is the performance mode in this case, access to a 
25 predefined or singular address is required, whereby a change 
to the second operating mode takes place. This singular 
address may appear, in this context, in the first memory 
region during the program processing, or may be supplied in an 
equivalent way externally. This means that in the first 

3 0 operating mode or safety mode access may only be made to 

addresses or to a program in the first memory region; if, for 
instance in the second memory region, in this safety mode, 



NY01 1073057 vl 



12 



* I * 

another address is accessed, for example, in the second memory 
region, an error is present having a possible corresponding 
error reaction. In Figure 2 this is once more made clear. In 
block 200, both execution units 101 and 102 are in the first 
5 operating mode, namely the safety mode. In query 210 it is 

checked whether the address of the next command is the same as 
the trigger address of the corresponding singular switchover 
address. If this is not the case, both processing units 
continue to be in the first operating mode, and consequently 

10 they access first memory regions 150, 151, respectively. 

However, if the address corresponds to the next command and/or 
datum of the trigger address, the switchover or the change to 
the second operating mode, the performance mode takes place in 
block 220. Each execution unit also obtains, in this context, 

15 an address in the second memory region, for which processing 
is to be continued in the second operating mode. In this 
context, the comparison unit, or rather comparison means 170 
is switched off, that is, it is put out of functioning 
(disabled). Thus, in block 230 first processing unit 101 is in 

2 0 the second operating mode, and in block 231 the second 

execution unit 102 is also in the second operating mode, the 
performance mode. This says that the only possibility of 
getting from the safety mode to the performance mode, in 
this specific example, is, for example, to invoke a 

25 special OSEKtime task T t ri gg er/ such as, for instance, the 
ttidle task of the OSEKtime operating system, or rather 
an address that is included in it and designated as a 
trigger address, particularly the initial address of this 
program part or this task. This invoking occurs 

30 simultaneously in the two CPU's of necessity, in 

particular if the two execution units are operating 
synchronously. The T Tr igger task as just before ttidle, in 
this context is for instance an invoking of the OSEK 
scheduler, which is in second memory region 180. This 
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corresponding address is set as a trigger address, in order to 
change to the performance mode, for instance in the switchover 
devices, namely mode selectors 130, 131. As was said, this 
is checked in block 210, that is specifically in the mode 
5 selectors, the switchover means. Thus future address 
accesses are allowed to take place, specifically up to a 
renewed change into the safety mode, only into ROM region 180, 
namely the nonvolatile second memory region. 

Now, Figure 3 shows the switchover or the change from the 

10 performance mode especially back into the first operating 

mode, the safety mode. In block 300, execution unit 101, that 
is, CPU1 is in the second operating mode, the performance 
mode. Also, in block 310, second execution unit 102 is in just 
the same performance mode, this second operating mode of this 

15 exemplary embodiment. Now, in block 320 or block 321 an 

interruption request, an interrupt, is triggered for each 
execution unit, because of which there takes place a 
switchover in block 330 of both execution units 101 and 102 
into the first operating mode, the safety mode. In this 

2 0 context, the comparison means, comparator 170 is switched in 

again, and in block 340, both execution units again run in the 
safety mode, the first operating mode. In this context, the 
interrupt may be triggered, on the one hand, by a time 
condition, that is, a time interrupt, or by a status condition 

25 or an event condition. This means that, in order to change 

from the performance mode to the safety mode, an interrupt of 
the first operating system OSEKtime is generated. This time 
interrupt of the OSEKtime operating system, which has higher 
priority than the OSEK operating system, is programmed in the 

30 same way in both CPU's, since the same OSEKtime system runs on 
both CPU's. The interrupt, that is, the interruption request 
is received at the same time at both CPU's, especially in 
synchronously running OSEKtime systems. As was mentioned 
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before, this gives the OSEKtime scheduler interrupt a very 
high, in particular the highest priority, according to the 
definition. In the case of synchronicity , both interruption 
requests are accordingly executed simultaneously. As has also 
5 been mentioned before, using executions of these interruption 
requests, comparison means 170 are also put back into 
functioning, that is, switched over into the first operating 
state, the safety mode, and the execution units run newly 
redundant, in particular. 

10 Besides the already named timer interrupt, a status interrupt 
or an event interrupt may also be used, in order to manage the 
operating mode change, that was mentioned, from the second to 
the first operating mode. In this context, a certain status of 
the execution units can, for example trigger a high priority 

15 interrupt, which is then valid for both execution units. This 
may be, for example, a status generated by the processing of 
the programs in ROM 180 in a CPU, which triggers such a high 
priority interruption request that applies also for the second 
CPU. An event, particularly also an event supplied from 

20 externally to the processing unit, is also able to trigger 
such an interrupt, and therewith trigger the operating mode 
change. The first variant having the time interrupt is 
preferred, but the status interrupt or the event interrupt, as 
was described, is also conceivable, and is disclosed herewith. 

2 5 In line with the object, we have thus shown an optimized 

switchover between two operating modes of a processor unit 
having two integrated execution units according to the present 
invention, the specific exemplary embodiment being not 
supposed to have a limiting effect with regard to the basic 

3 0 ideas of the subject matter of the present invention. 
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